Skip to content

Show certificates from truststore in SSL info endpoint #48967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
garvit-joshi wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Show certificates from truststore in SSL info endpoint #48967

garvit-joshi wants to merge 2 commits into from
+121 −7

Conversation

@garvit-joshi
Copy link

@garvit-joshi garvit-joshi commented Jan 26, 2026

Adds trustStoreCertificateChains field to BundleInfo to expose truststore certificates separately from keystore certificates in the SSL info endpoint.

Closes #45845

@garvit-joshi
Show certificates from truststore in SSL info endpoint
b283e21 
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 26, 2026
@mhalbritter mhalbritter self-assigned this Jan 28, 2026
@mhalbritter mhalbritter mentioned this pull request Jan 28, 2026
Closed
@mhalbritter mhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2026
@mhalbritter mhalbritter added this to the 4.1.x milestone Jan 28, 2026
@mhalbritter
Copy link
Contributor

mhalbritter commented Jan 28, 2026
edited
Loading

Hello @garvit-joshi,

thanks for the PR. I played around with it a bit, and while this works when the truststore has "Private Key" entries in it (secret key + certificate), it fails when a truststore only contains "Trusted Certificate" entries.

The reason is that KeyStore.getCertificateChain only works for "Private Key" entries, as stated in the JavaDoc:

Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry.

To get the (leaf) certificate for a "Trusted Certificate" entry, you'd need to call KeyStore.getCertificate. Hoewever, this will only give you the leaf certificate (the last one in the chain). So either we rename trustStoreCertificateChains to trustStoreCertificates or we need to go the hard route of getting the complete chain for a truststore "Trusted Certificate" entry.

You can use those two keystores to play around, the passwords for both the keystore and the private keys is secret. The keystore contains "Private Key" entries, while the truststore contains "Trusted Certificate" entries (I haven't put in the work to really create a chain of trust, it's all self-signed certificates without a real chain).

We should also verify that it works with a test which doesn't reuse the keystore as the truststore.

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Jan 28, 2026
@garvit-joshi
Handle trustedCertEntry in truststore and add separate keystore/trust…
c3bdfc6 
…store tests

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@garvit-joshi
Copy link
Author

garvit-joshi commented Jan 29, 2026

Hi @mhalbritter,

Thank you for the detailed feedback and for providing the test keystores!

I've updated the implementation to handle trustedCertEntry entries. The code now first tries getCertificateChain() for PrivateKeyEntry entries, and falls back to getCertificate() for trustedCertEntry entries.

I've also added a new test separateKeyStoreAndTrustStoreShouldProvideSslInfo() that uses separate keystore (with 2 PrivateKeyEntry entries) and truststore (with 3 trustedCertEntry entries) to verify both scenarios work correctly.

Thanks again for your guidance!

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mhalbritter mhalbritter

Labels

status: feedback-provided Feedback has been provided type: enhancement A general enhancement

Projects

None yet

Milestone

4.1.x

Development

Successfully merging this pull request may close these issues.

Show certificates from truststore in SSL info endpoint

3 participants

@garvit-joshi @mhalbritter @spring-projects-issues